using various subkeys

David Shaw
Tue Aug 20 17:33:01 2002

On Tue, Aug 20, 2002 at 04:37:20PM +0200, Adrian 'Dagurashibanipal' von Bidder wrote:
> Yo!
> In a recent thread I picked up the idea of using multiple subkeys
> instead of entirely different key pairs. I just want to be sure I
> understand all implications of what I want to do - no need to get my
> keys killed...
> Basically I have a computer at home, regarded secure, and computers that
> are less secure. Primary concern is signing, I rarely use encryption. I
> want to use the same key everywhere without letting somebody compromise
> my primary key.
> So I
>  - generate a key with the default settings (DSA/ElG)
>  - add a second subkey (DSA)
>  - --export-secret-subkeys
>  - import this into a new keyring and delete the encryption subkey.
>    (the primary secret key contains no cryptographical data, right?)
>  - transfer this keyring onto the not-so-secure machine and use it just
>    as I would a normal key. gpg automatically selects the signing subkey
>    to sign, as it cannot use the primary one.

You are trying to make a key with two signing keys (primary and
subkey) and no encryption subkey?  If so, you can generate that
directly.  Just generate a "DSA sign only" key, then add a DSA subkey
to it.

> Possible issues - I hope I understand this correctly:
>  - Keyservers will not work with my new key. (Except LDAP)

Well, it's not clear actually.  The HKP bug eats keys with more than
one subkey, and you will only have one.  There may be another bug
lurking in there, but it may also be fine.  You could test it :)

>  - PGP users can verify such signatures from version ???

8.0.  In other words, no current version.  Imad's PGP 6.5.8ckt can do
it, however.

>  - gpg users can verify such signatures from version ???

Not sure.  Certainly 1.0.4 and later can do it, and I suspect much
earlier as well.

>  - There is no way to tie a subkey to a userid (if I were to
>    use encryption subkeys, this would be a hint 'if you mail me
>    at this address, use that subkey).


>  - if the subkey is compromised, the attacker can sign documents with 
>    it (of course).


>  - if the subkey is compromised, the attacker can sign other keys with
>    it (I believe. Or can a key only be signed with the primary?)

Well, theoretically yes, but no OpenPGP program accepts key signatures
from subkeys.  The attacker could do some magic to change the subkey
into a primary key, but then it would not be trusted any longer.

>  - If I were to import a dummy-primary key into my master keyring, gpg
>    merges the keys just right.


>  - all this does not affect the management of the user ids in any way.


>  - when the primary secret key is available, gpg will by default use
>    it and not the additional signing subkey.

No.  It will use the signing subkey by default unless you are making a
key signature.  You will need to use the keyid! syntax if you want to
use the primary signing key to make a signature.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson